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(57) Abstract: A "on line" system of conditional access and audi- 
ence control for communication service of the broadcast and mul- 
ticast kind that does not use smartcard or other dedicated hard- 
ware on the user side, in which a set of information data for broad- 
cast communications (unidirectional) is encrypted by means of dy- 
namic keys that are sent to each enabled user through an interactive 
and bidirectional channel. 
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A ON-LINE SYSTEM FOR CONDITIONAL ACCESS AND AUDIENCE 
CONTROL FOR COMMUNICATION SERVICES OF THE BROADCAST AND 
MULTICAST KIND 

DESCRIPTION 

5 The present invention relates to a conditional 

access and audience control on-line system for 
communication services of the broadcast and multicast 
kind. 

In the communications from one-to~many, typically 
10 i.e. in the broadcasting and in multicasting, there is 
the need of realizing a cryptography system and a 
conditional access system for ensuring the secrecy of the 
communication within a group of users enabled to the 
reception . 

15 However, nothing prevents to a user of the group to 

help third parties to receive illegitimally the data 

reserved to the group. 

This problem, known as ''^piracy" is particularly 

known, for instance, in the realm of digital pay- 
20 television which is broadcast, typically, through 

satellites . 

The piracy operates usually according to two ways : 
a) it distributes illegally the decrypted contents (in 
clear) ; 

25 ' b) it distributes the decrypting ^"keys". 

The present invention is finalized basically to the 
protection of contents having a commercial value, 
therefore not necessarily secret, but to be protected 
mainly from the standpoint of the use rights (for 

30 instance a television program, stocks exchange data, 
etc . ) • 

In this case it is considered not interesting a 
defence with respect to the first kind of problem, 
because an illegal re-distribution of the contents of 
35 such kind, i.e. ''known'' contents, can be always made from 
the technical standpoint. 

For instance, it is possible to retransmit a 
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television program received by means of a decoder 
legitimally authorised to the reception. In such case it 
is clear that the problem becomes mainly a matter of 
intervention by law enforcement forces . 
5 On the other side it is always important to protect 

also this kind of information, mainly in those cases in 
which such information of the ^^real time" kind and 
therefore it loses a big part of its value if received a 
certain time after with respect to the enabled utilisers 
10 of the group (one may think, again, to the rates of stock 
exchange shares or to the transmission of live sports 
event) . 

In this cases it is therefore important the method 
for the distribution of the decrypting keys. 
15 The present invention consists in a method for the 

distribution of the decrypting keys that: 

1. foresees the distribution of the keys only to 
authorized users; 

2. can be realized with a minimum ^^over-head" on the 
20 communication band; 

3. guarantees the operation also in the case in which 
data must be decrypted in real time, even not 
requesting high computation capabilities . at the 
level of reception systems of the users; 

25 4. allows to assign to each single user an amount of 

time units for service (as for the telephone tokens) 
to be ^'spent" at his will; 
5 . allows the control of the real audience for each 
service; 

30 6, as a further optional object, it allows to identify, 

with a high probability, a possible ^'traitor", i.e. 
an enabled user of the group that spreads illegally 
the keys . 

The system according to the invention is mainly 
35 considered for the use on services broadcast in multicast 
way in the network (Internet, Intranet, Extranet, LAN) 
but it can be also used in the digital transmission of 
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the broadcast kind (via satellite) or terrestrial. The 
system may also be used with cellular telephony (UMTS, or 
GPRS, hybrid-network Sat-Tv with a return over a 
telephone cable, or with satellite systems in Ku/Ka 
5 band) - 

The present invention and the state of the art 

In the field of digital pay tv, the conditional 
access system most used is based on the use of the so- 
called '^smart cards''. 

10 This system is generally considered ''^secure" when 

compared typically with systems which are completely by 
software. As a matter of a fact, as if it is true that 
the ^""smart cards'' are much more secure of a only software 
system, they too may be decrypted after a certain time 

15 interval. 

In such a case the damage is very great because it 
is necessary to replace a great quantity of peripheral 
systems or ''''smart cards". 

In the field of the Internet protocol multicast 

20 (IP) , solutions are being searched in which the 
conditional access is handled at the router level. These 
systems lead theoretically to an optimal use of the band, 
but entail heavy structure requirements - 

Other systems have been instead considered for the 

25 protection of static information, for instance the 
information written, on a CD. For instance, US patent 
5.400.403 appears to be well adapted to such purpose but 
bases all the ^''abuse resistance" on the fact that the 
decrypting system is personalized for each user and has 

30 dimensions similar to the information itself (it is a 
system that could be defined '^with persistence in the 
space") . Consequently, it is thought, to redistribute 
such system of cryptography is both costly and apparent, 
(being personalized for each user, a copy and 

35 redistribution in great quantity would bear implicitly 
the signature of the ''^traitor") . 

The present invention is different with respect to 



wo 01/99029 PCT/lTOl/00315 

-4- 

the previous systems in that: 

- it has the purposes of protecting the data at the 
moment itself of their broadcasting, by means of an 
enciphering of the same effected with a system based on 

5 keys that change dynamically during the broadcasting of 

the data themselves, each of these keys being associated 
to a short portion of the data themselves; 

- it does not require the use of smart cards or other 
hardware specifically destined to the conditional 

10 access; 

- it requires the availability of a communication 
channel for the distribution of the keys to the user 
systems, along the one-to-many channel either broadcast 
or multicast utilized for the broadcasting of the data 

15 of contents, which allows a communication in a reliable 

bi-directional mode but does not place particular 
requirements on such channel; 

- it bases the resistance to the abuse by a potential 
traitor mainly on the implementation costs and on the 

20 visibility of a illicit service of dynamic distribution 

of the keys to the systems of the users, consequently it 
bases the resistance on the factor, ^^persistence in 
time" rather than on the factor ''persistence in the 
space"; 

25 the cryptography software on the user side may be of 

very limited dimensions and it can be typically 
distributed in a telematic mode, with the possibility 
also of a frequent updating, just for discouraging 
further possible traitors (a further factor of 

30 ''persistence in time") ; 

- as a further characteristic being the keys distributed 
on-demand to the users, it allows to compute exactly the 
audience of a contents diffused in broadcast mode up to 
the detail of each one of its single portions (placed in 

35 correspondence with each key) ; 

- as a further feature, it allows the on-demand access of 
each user also to a portion of the contents, according 



wo 01/99029 



-5- 



PCT/1T01/003J5 



to his interest, up to the ^^graininess'' of the time 
portion placed in bi-univocal correspondence with the 
respective key: one may think, for instance, to a 
broadcast service for stock exchange data in real time 
5 in which the cost is a function of the utilisation time 

by the user; 

- it allows to make minimum the dimension of the 
distribution channel for the keys, avoiding the 
dimensioning on a possible traffic peak, thanks to a 
system of dilution of the distribution of the keys 
obtained with a transmission of the keys also beforehand 
with respect to the data correlated to them. 

In the following discussion reference will be made 
to communication services broadcast with IP multicast 
protocol on the internet; this because it is obvious that 
on the internet or intranet the requirements of the 
availability of a two ways communication systems may be 
easily satisfied, for . instance between the transport 
control protocol - internet protocol with the enabling of 
a normal unicast session at the same time of a multicast 
communications • 

By considering that in perspective the availability 
of a permanent internet connection (or simply a telephone 
connection) , it may became a reality also at the home 
level, the system may be advantageously also be utilized 
for the protection of communications services broadcast 
through other means, such as for instance the digital 
television via satellite, possibly with a return of 
information user-provider by cable, or, with the proposed 
systems for the connection in downlink in the Ku band and 
the connection in uplink in the band Ka. 

The system according to the present invention 
includes elementary blocks, preferably implemented via 
software, organized as detailed in the characterising 
part of the attached claims. 

The present invention will be now described with 
reference to its embodiments presently preferred to as an 
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illustration and not as a limitation, and making 
reference to the figures of the attached drawings, in 
which: 

- figure 1 shows the general architecture of the system 
5 according to the invention illustrated in terms of 

operational blocks, that may be equally realized in 
hardware or in software even if, obviously, the software 
solution will be the preferred one; 

- figure 2(A), 2(B), show flow diagrams relating to the 
10 operation of the block 1 of figure 1, (Transmission 

Crypto Manager) ; 

- figure 3(A), 3(B) show flow diagrams relating to the 
operation of the blocks 6 of figure 1 (Conditional 
Access System) ; and 

15 - figures 4(A), 4(B), 4(C) show flow diagrams relating to 
the operation of block 9 of figure 1 (Decrypt) . 
Architecture of the System 

In the block diagram of figure 1 there are 
highlighted the different functional blocks relating to 

20 the Service Centre of a Provider which delivers IP 
Multicast Systems and those relating to a . User that 
utilises one or more of such services. 

The Provider and the User are interconnected by 
means of a Network (5) (LAN, Intranet, Internet or 

25 another transmission medium with a bi-directional 
capability as above discussed) that supports both the 
Multicast IP transmission and the bi-directional 
communication, that in this example is indicated by the 
communication protocol TCP/IP. Of course, in general, 

30 there are possible several Providers which deliver 
services on the same Net. 

The functional blocks shown in the architecture 
indicate Programs (software) that run on standard 
operative systems and hardware. For instance, all the 

35 Service Centre may be concentrated on a computer or on 
several Computers in LAN or through the Internet itself, 
while Programs on the User side may be operated typically 
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in a concurrent way on a Personal Computer of the ^'stand- 
alone" kind or also on a Client - Server architecture. 

The implementation of the Programs may be realised 
with several languages. The preferred one is however 
5 Java, both on the Provider side and on the User side so 
that the services may be utilised on the greatest number 
of hardware and software platform. 

Now the several blocks of figure 1 will be 
explained: 
10 1 . Service Manager 

The Service Manager is arranged for receiving one or 
more information flows destined to the transmission 
in Multicast mode (that, from this point onwards, 
will be identified simply as Flows'') and handles 
15 the transmission, assigning to each of them an ID 

that characterises it. 
2 . Transmission Crypto Manager (T.CM.) 

The T.C.M. performs the enciphering of each Flow 
using an adequate algorithm with dynamic key, i.e. a 
20 key that is changed for each predeterminated period 

of time (or number of records of data that has been 
transmitted) . Such Keys (constituted for instance of 
64 bits) are generated automatically and in a random 
way by the T.C.M. itself and communicated to the 
25 Conditional Access System (6), together with an 

identifier of each specific Key (K.I.) (alternately 
the key may be generated by the C.A.S. 6 and 
communicated to the T.C.M. 2) . 

More precisely, the T.C.M. operates on the flow in 
30 the following way: 

i) it divides the Flow in Packets 

ii) it generates the keys, typically a new key 
every N Packets or every M seconds (or 
minutes) . 

35 iii) it formats a packet constituted in this way: 

- ID of the Flow 

- K.I. (Key Identifier) of the Key with which the 
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Packet is enciphered, it is a progressive number 
that individuates the key presently utilised for 
enciphering the data field of the packets and 
also the one relating to this specific packet. 

- A data field enciphered by means of the algorithm 
associated to the particular key identified by 
K.I- 

- N.K.I. (New K.I.) indicates the next K.I., i.e. 
the next key that will be utilised when the 
present one will be elapsed. 

- C.R-C, for instance constituted of 32 bits for 
recognizing an erroneous packet. 

iv) for each change of key it communicates to the 
C.A.S. (6) the pair N.K.I. - New Key (so that, 
as it will be seen herein after, the C.A.S. (6) 
has available the time for delivering it to all 
the enabled Users before that such New Key be 
used) . It should be noted that the concept of 
foreseeing the possibility for the User System 
of acquiring in advance the next key may be 
extended to the fact of acquiring a given 
number of next keys . 
Transmission Format Processor (T.F.P.) 
The T.F.P. completes and processes the data packet 
adding all what is necessary for the transmission in 
the specific considered protocol (for instance IP 
Multicast) . Typically, in order to increase the 
reliability of the transmission, there will be used 
standard algorithms for Forward Error Correction or, 
more simply, there will be added an additional 
packet every L packets, in which each bit is 
computed as an EXOR of the bits in the same position 
in the L associated packets (bit(i) = Pl(i) EXOR 
P2(i) ... EXOR PL (i); in such a way, on the 
reception side, the Error Correction system of the 
Block (8) may correct/reconstruct a packet 
erroneous/missing in the L packets. 
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Network Interface (N.I.) 

The block N.I. represents a standard hardware and 
software interface for the communication Net. For 
instance in the case of the Internet, it could be a 
Modem with a pertaining Driver and Socket - 

Net 

As before said preferably it can be a net like the 
one used for the Internet or equivalent or the other 
data communication structure with a mono-directional 
and bidirectional capability above detailed in the 
introduction of the specification. 
Conditional Access System (C-A.S.) 

This system block is responsible for the 
transmission of the Keys to the enabled Users. 
The system verifies before all on the Data Base of 
the Users that the User requesting the keys is among 
those authorized for the specific Flow relating to 
the requested key. 

Then it arranges itself to provide the key to such 
client each time that he requests it, in an 
interactive mode (TCP/IP) . 

There is provided a mode for utilization of the 
service, by the user, ^'according to the use": in 
such a case to the user are assigned a given number 
of Tokens corresponding each to a potential request 
of delivery of a new key. 

For each request and delivery of key, the 
availability of tokens is decremented of one unit. 
When the tokens are finished, to the user is denied 
the delivery of new keys up to when the availability 
of tokens has been recharged. 

It should be noted how the C-A.S. has the complete 
availability, in real time, of the number of active 
users, or of the audience. 

The keys are provided to the C.A.S. by the block 
T.C.M. (2) . 

Network Interface (N.I.) 
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The block N.I. is the equivalent, on the side of the 
user, of the system formally indicated at the 
paragraph 4 as Network Interface (N.I.)- 
8 . Error Correction System 

5 The system verifies the correctness of the received 

packets (computing the C.R.C. and comparing it with 
the one carried by the packet) and performs the 
correction/reconstruction as it has been above 
shown . 

10 9. Decrypt System (D.S.) 

With D.S. there is identified the system that 
actually, on the user side, performs the functions 
of key request and of decrypting of the received 
data, transferring then the decrypted data to the 
15 application (10) that utilizes them. 

The D.S.. It can operate autonomously and 
automatically or, as it has been showed in the 
figure, it may operate upon request of the 
application (10) (request of tokens) • 
20 In this latter case (10) spends" a token each time 

it wants to receive data. Then the D.S. is activated 
for requesting the key and then to decrypt all the 
arriving packets to which that key gives access. 
The D.S. informs the application (10), with a 
25 reasonable advance, when the key (the token) is 

going to exhaust its utility, and then is necessary 
j to request the New Key (corresponding to the N.K.I.) 

for decrypting the subsequent sequence of packets . 
If the user, through the application (10), confirms 
30 the will of continue (it spends another token) the 

new key is requested and the reception occurs 
without any loss of data. Otherwise, when the 
packets that can be decrypted with the present key 
have been exhausted, the reception is interrupted - 
35 As an alternative, it can be the D.S. itself, the 

requests automatically the new key without need of 
receiving a '^Token Request" by the application (10) . 
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Since the new key is provided to the C.A.S. (6) by 
the T.C-M. (2) at the same time of the broadcast in 
Multicast of the corresponding N.K.I. , the D.S. 
could request the new Key as soon as the N.K.I. 
5 changes. As a matter of fact, in order to avoid that 

all the active D.S. (in correspondence of each user 
or application (10)) perform the request in the same 
moment, there may be introduced a random delay so 
that the requests may be distributed in time. 

10 10. Application 

For application it is meant any application that 
uses the data transmitted in Multicast. 
It should be remarked how the division in three 
programs of the functions of Error Correction, 

15 Decrypt and Application are basically of ' a logic 

type. It is possible that the three logic modules 
are contained in a single program, possibly also a 
program written in Java and downloaded through the 
Internets 

20 The individuation of the possible ^"Traitor"" (Traitor 
Tracing) . 

The above described system reaches all the objects 
indicated in the first paragraph with the exception of 
the last optional one (6), i.e. the automatic 

25 identification of a possible ""^Traitor'' that re-broadcast 
illegally the keys. 

As a matter of fact the system places however 
significant problems upon the traitor, since he should 
set up a continuously operating structure that therefore 

30 may be easily identified with a suitable investigation. 

In order to make easier further the identification of the 
''^Traitor" it would be necessary that to each user keys be 
delivered which identifies him in a unique way. 

Obviously, since the data are encrypted in a single 

35 way for all the users, this object cannot be easily 
reached. 

There are proposed here to different ways for 
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reaching the object. 

a) A Multiple Key Encrypting System 

This system has been proposed but shows an 
appreciable complexity . 
5 b) A Computed Key System (which is a part of the present 
invention) 

Each computed key provided to each user is really a 
transform of the real key, computed with a different 
Function from user to user, changed with a certain 

0 frequency (for instance each day) . 

Such Function may be simply, for instance, a further 
scrambling key, different from user to user, such as the 
actual key is computed in EXOR bit to bit with itself. 

A true decrypting key = Computed key in EXOR 

5 Scrambling Key, (changed each day) 

For making still more difficult the task of the 
potential traitor, the Function will be more complex and 
the change of the same will not be limited "to the 
periodical substitution (each day) of the Scrambling Key 

0 of the user: for instance, in place of applying the 
Scrambling key to a simple EXOR, such key may be utilized 
as a initialization of a Linear Feedback Shift Register, 
with feedback loops which are not the same for all the 
users, (and in any case modified each day) . 

,5 In order to render more effective the protection 

against the potential Traitor, the Function may be 
written at the interior of the decrypt program itself 
(9), still better if it is on its turn the same thing 
with the Error Correction (8) and the Application (10) . 

lO All this in order that it be very complex to perform 

a Reverse Engineering of the Function, or that it is 
necessary for the purpose of the Traitor a time higher 
than the change rate of the Function itself, so that he 
is always compelled to track it. 

►5 The updating of such a function may be performed in 

several ways, for instance it can be made automatically 
via the Internet. 
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Of course the adoption of such system will entail a 
corresponding matching of the functionality of C.A.S. 
(6)/ which will have to generate such functions, to 
memorise them in the D.B. of users (7), delivery it then 
5 to each user periodically (each day) , to compute, using 
the generated Function for the specific user, the 
computed keys to be provided to him. 

It is considered convenient that, with the adoption 
of a system of Traitor Tracing with a different key / 

10 computed key for each user, that such keys be processed 
and stored on the D.B. of user (7) in advance, off-line, 
in order not to load the C.A.S. during the on-line 
operation. In such a case, the T.C.M. (2), will have 
itself to produce in advance the keys and the N.K.I, and 

15 to deliver them to the C.A.S. that performs the 
processing. All this, may, for instance, be made in a 
period of low activity (on the night) . 

It will be now disclosed, as a non limiting example, 
with reference to figures from 2(A) to 4(C) the software 

20 architecture of the system according to the invention 
disclosed with reference to figure 1. 
TCM (block 101) 

The TCM begins with a first block (102) for several 
initialisations: there is placed KI=0, that is the 
25 indicator of the current key, and NKI=1, that is the 
indicator of the new key. 

There is initialised and also a time variable T 
corresponding to a function FTIME that provides a integer 
number corresponding to the seconds elapsed since the 

30 beginning of the day. There is established also a 
constant PERIOD that represents a number of seconds 
corresponding to the period of change of the key. 

Now the firs key is initialised, corresponding to 
KI, that at the beginning is equal to 0, and the 

35 subsequent key, that is NCHIAVE, substantially with two 
random numbers computed with the function RANDOM (here 
computed as a function respectively of the T + 1) . 
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After the completion of the initialisation the 
operation go the subsequent block (103) that is after the 
address ALFA. 

There is sent to the C.A.S. (6) KI and NKI, as well 
5 as the key corresponding ^'CHIAVE" and the new key 
^^NCHIAVE" abound the two variables T and PERIOD, so that 
the C.A.S. (6) knows the moment in which these keys have 
been created.- 

At the block (104) TCM (2), acquires from the 
10 SERVICE manager (1) a new data vector VDATI . 

The operation go then to the block (105) that 
follows: there is encrypted the data vector and there is 
generated a vector VCRIPT by means of the function 
FCRIPT. 

FCRIPT is any encrypting function that combines a 
data vector with a key; a key that in the following will 
change generating different VCRIPT also and not only a 
function of the data vector but also of the key (dynamic) 
itself . 

Subsequently the data packet, block (106) (here we 
are dealing of IP packets) is' completed with other data 
among which the identifier ID of the service, port code 
^^COD. PORT" (in the IP protocol is used for identify a 
destination port) . 

There are then inserted in the packet also KI and 
NKI, obviously the data vector encrypted VCRYPT and a 
CRC, that is used then for the reception and for 
verifying whether the received packed contains errors. We 
will see in the following that there is an error 
correction system (8), that is not part of the invention, 
through which these data are verified. 
Now we pass to ''BETA". 

At the block 201, the packed thus completed is at 
this moment sent, i.e. passed to TFP (3) that is a system 
that completes and possibly adds to the packets further 
information, useful, for instance, for the forward error 
correction functions . 
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In the block (202) there is recorded the time moment 
Tl at which has been generated (T1=FTIME, i.e. the 
present hour) - 

At the block (203) there is verified, by making the 
5 difference between Tl and T, whether it has been overcome 
the period of seconds PWRIOD (after the elapsing of which 
the key must be changed) : if it has not been overcome it 
may go back to point y and then to the figure 2 (A) where 
a new data packet is acquired and the cycle goes on. 
10 Substantially this cycle goes on up to when (Tl-T) 

becomes greater than PERIOD. 

After the elapsing of this period, block (204), it 
is then necessary to update the keys: before all the 
present key KI becomes the next key then KI=NKI, NKI is 
15 incremented of 1 . 

After this there is verified at the block (205) 
whether NKI has become higher than a maximum possible 
integer number because in that case it is necessary (to 
reset it) to the block (206) so that one there is not an 
20 overflow. 

Normally then at block (207) the present key becomes 
the key that beforehand was NCHIAVE and it is necessary 
to produce the next future key NCHIAVE (as a random 
expression of the time instant T) . 
25 At this moment it is possible to perform a loop and 

to go back to ALFA and to start again the whole cycle. 

In the figure 2 (C) there is explicitated the 
cryptography function that, as above said, is not part of 
the invention, since this may be any function that 
30 performs the encrypting of a data packet with a secret 
key. 

Here however is intended to give an example of a 
very simple system of encrypting, in which the key is 
simply utilized by making an EXOR bit by bit with the 
35 data packet in a sequence. It is considered non-necessary 
a detailed explanation of the sequence appearing in 
figure 2 (C) . 
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Reference is made now to the C.A.S. figure 3 (A) 
block 301, which is the system responsible for 
transmitting the keys to the enabled users. The program, 
after the necessary initialisation, block 302 is 
5 synchronize to the block 303 in time with the TCM (2) by 
reading the variable T and the constant PERIOD. 

Then at the block (304) (TUIjFA) the system reads from 
the TCM KI and NKI and the values of the two 
corresponding keys (i.e. CHI AVE and NCHIAVE) . 

10 At this moment the CAS, block (305-304) enters in a 

place where there is predisposed to satisfy the request 
by the users that obviously will request a key 
corresponding to a variable KI or NKI. 

(in the case in which there are requested keys 

15 corresponding to identifier variables presently not 
active (for instance elapsed) the system will not reply 
and will have to send an error message) . 

At this moment the system must verify whether the 
user is enabled to receive the requested keys. 

20 In the example that is referred to the concept of 

enabling has been bound to the concept of use, i.e. the 
user is provided with a series of tokens identified as 
TOKEN that allow to him to use the service, each for a 
predeteinnined period of time. 

25 In the system the CAS (6) must verify that the user 

has still available . tokens (as it occurred with the old 
token telephone apparatus) . 

Then at the block (306) TOKEN is initialised with 
the maximum number (MAXINTEGER) . 

30 At block (307) the program then verifies whether the 

user has actually a number of ^'limited tokens" (there 
could be privileged users, for whom for the access to the 
service there is not a need to use of tokens, i.e. the 
user does not have ''^limited tokens'') - 

35 In the more complex case, the i-th user is actually 

of the type with ^^limited tokens". In such case it is 
necessary to verify whether the i-th user has still 
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available tokens. This is made by verifying at the block 
(308) if TOKEN (I) is lower than zero. If this is not 
true, block 309, his availability of tokens is 
decremented of 1 (TOKEN (I) = TOKEN (i) - 1); at the block 

5 (310) there is placed TOKEN = TOKEN (I) and (label BETA). 
In figure 3 (b) the block 401 there is verified whether 
token is lower than 0 (if it was equal to 0 this would 
mean that the last available token is being utilized) - In 
this case the programs goes out of the loop and will 

0 transmit to the user (block 402) that he has requested 
the key simply the variable TOKEN, that will returned to 
him in this case lower than 0 (this value will mean 
exactly for understanding that to him the access has been 
denied) . 

5 If , on the contrary TOKEN is greater than or equal 

to 0, block (403), there is calculated DELTATIME 
(DELTATIME expresses the validity time remaining of the 
key) . 

At this moment the CAS (6) at block (404) verifies 
0 which kind of key has requested (i.e. KI ore NKI) . 

If the requested key is KI then at this moment the 
work is finished and the program should transmit to the 
user, block (405) DELTATIME, PERIOD, TOKEN and CHIAVE (in 
this way the user knows also how many tokens are at his 
5 disposal) ; otherwise the NCHIAVE key will be transmitted, 
block (406) . 

The program goes than back to y and returns in the 
cycle - 

Decrypt System D.S. (9) figure 4(a) 

0 This is the system on the client side that allows to 

the user to talk with the central system that provides 
the keys and to receive then the necessary keys for 
receiving the encrypted text. 

Subsequently the system D.S. 9, as it can be seen 

5 from the architecture diagram, communicates on one side 
with the CAS (6) for getting the key, and on the other 
side receives, through the module Error Correction (8) 
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the data packets (already corrected) that were sent from 
TCM (2) through the TFP (3). 

The function of the DECRYPT is therefore the one of 
performing the decrypting work and then to re-create the 
5 original data packet and to deliver it to APPLICATION 
(10) . 

With APPLICATION 10, there will be also an exchange 
of messages because typically it will be the application 
in effect to request services to D.S. (6), APPLICATION 

10 (10) that on its turn is driven by the user in person who 
decides when and what he wants to receive. 

Let us see how DECRYPT operates (figure 4(a)). 
Initially, block (501), there are effected several 
initialisations that here are expressed in the subroutine 

15 in figure 4 (c) . Let us consider it immediately: fig. 4 (c) 
there is acquired, block 502, a packet from the Error 
Correction (8) and in particular from this first packet 
there are extracted KI and NKI . There are then requested, 
block (503) to C.A.S. (6) both the keys corresponding to 

20 KI and NKI and there is verified block (504) if token is 
lower that zero (in this case the operation go to return) 
otherwise at this moment it is necessary to initialise 
block (505) to new local variables of the function D.S. 
(9) that are exactly DKI (that means Decrypt-KI) and 

25 similarly DNKI, that are placed respectly equal to the 
two variables KI and NKI received by the CAS (6). Then 
the main program is resumed. 

At this moment the first question to place, block 
506, is whether TOKEN is still lower than 0 (i.e. there 

30 is verified whether the user has exhausted the available 
tokens) : in such a case the operation goes directly to 
the end of the program and there is sent a suitable 
message of APPLICAZIONE ('' DENIED ACCESS'') . 

If TOKEN, on the contrary, is not lower than 0 there 

35 is called the subroutine defined as block (507) INPUT- 
DECRYPT-SEND. This subroutine (see figure 4(5)) is the 
one that acquires the packet from the ERROR CORRECTION 
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(8) and performs the decrypting with the key that is 
received from the CAS (6) - 

Consequently the block (508) INPUT-DECRYPT-SEND 
beforehand acquires a packet VCRYPT together with KI and 
5 NKI. 

Subsequently it verifies, block (509) , whether KI is 
equal to the variable DKI. If YES this means that the key 
corresponding has been already acquired by the DECRYPT 
D.S. (9) (it is not necessary to acquire a new key for 
10 each new packet but only when the key is elapsed or not 
available) . 

If DKI is equal to KI this means that the key has 
been already acquired^ that the variable CHIAVE is the 
current variable in order to perform the decrypting- In 

15 this case it can be started the decrypting function, that 
in our example is the same FCRYPT (figure 2(c)) that was 
used by TCM 2 to perform the encrypting (as a matter of 
fact the EXOR used in the FCRYPT operates mirror-like 
both in encrypting and in decrypting) . 

20 There is performed subsequently, block (510) , the 

decrypting of the vector VCRYPT with the key and there is 
regenerated finally the original vector VDATI. At this 
moment block (511) the vector VDATI is passed to the 
application 10 and the return is performed. 

25 Let us go back to the main program (fig. 4 (a)) . 

As it can be seen there is a loop in which there is 
verified, block (512) whether DKI is equal to KI (there 
was read a new KI within INPUT-DECRYPT-SEND, therefore 
there is verified again whether DKI is equal to KI) . 

30 Up to when DKI is equal to KI there may be acquired 

new packets and this ca be decrypted and then sent to 
APPLICATION. When DKI is no more equal to KI, this means 
that the key has been changed. Then it is assumed that 
the subsequently key has been already acquired and 

35 therefore there is placed, block (513), DKI equal to DNKI 
and CHIAVE with NCHIAVE. 

There is verified block (514J whether DKI is 
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actually equal to KI (theoretically it should be always 
this case, unless there has been a malfunctioning, in 
this case it is necessary to execute again the whole 
process of initialisation), again, block (515) a call is 
5 made to INPUT-DECRYPT-SEND, and there is requested, block 
(516) , to the user whether he wants to continue the 
reception, block (516) , (we are in this situation in 
which the key has elapsed and it is necessary to request 
a new one to the C.A.S. (6), that is to use a new token 
10 of the user) . If the user replies yes, block (517) there 
is acquired from the C.A.S. (6) a new key NCHIAVE 
corresponding to NKI and the other ancillary variables, 
there is placed, a block (518) DKI equal to NKI and there 
is made the verification, block (519) whether the tokens 

■ 

15 are finished, i.e. whether token is lower than 0. If YES, 
there is sent a suitable message, block (520) , to 
APPLICATION (10) , if NOT the main loop is resumed. 
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CLAIMS 

1. A ^^on-line" system for conditional access and 
audience control for communication services of the 
broadcast and multicast type of the kind that does not 

5 use smartcards or other dedicated hardware on the user 
side, characterised in that a set of information data for 
broadcast communications (unidirectional) is encrypted by 
means of dynamic keys that are sent to each user enabled 
through an interactive and bidirectional channel ■ 

2 . A system according to claim 1 characterised in 
that said set of information data is transmitted on a 
communication channel that coincides with said 
interactive and bidirectional channel - 

3. A system according to claim 1, characterised in 
that said communication channel of a set of information 
data is separated by said interactive and bidirectional 
channel . 

4 . A system according to one or more of the 
preceding claims characterised in that said decryption 
keys may be acquired, in a certain predetermined 
quantity, in advance by the decrypting system on the 
users side, avoiding in this way the need of dimensioning 
the distribution channel for the keys on a possible 
congestion . 

5 A system according to one or more of the 
preceding claims, characterised in that the protocol ^^one 
to many" is the protocol Internet Protocol Multicast. 

6, A system according to one or more of the 
preceding claims, characterised in that said broadcast 
channel is: 

- a local net of a firm LAN 

- a territorial net WAN 

- any network of the Internet type supporting the 
IP Multicast Protocol; 

- a digital satellite transmission of the type DVB; 
a digital transmission via ether of the kind DVB; 

- a standard transmission for cellular telephony of 
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the kind GPRS or UMTS; 

- a satellite transmission of the directional kind 
over the Ku/Ka bands; 

- a standard satellite transmission V SAT. 

5 7. A system according to claim 6^ characterised in 

that the bidirectional transmission channel on which the 
dynamic keys travel from the center to the users is of 
the kind GPRS, or UMTS or satellite Ku/ka or V SAT, or a 
local net LAN, or a territory net WAN, or any kind of 
network of the internet type supporting the IP multicast 
protocol. 

8 . A system according to one or more of the 
preceding claims arranged for controlling the audience of 
a predetermined service emitted in broadcast. 

9. A system according to one or more of the 
preceding claims, characterised in that it comprises 
means for tracing of a ^^Traitor" by mean of a computed 
key system through a scrambling key different for each 
user. 

10 . A system according to claim 9 characterised in 
that the tracing of the ^^Traitor'' is effected by mean of 
a delivery of keys to the user which are on their turn 
encrypted by mean of complex functions personalised in a 
different way for each user. 

11. A system according to one or more of the 
preceding claims, characterised in that it includes on 
the user side a dedicated hardware for the decrypt 
operation possibly realised by means of a microchip or an 
equivalent electronic circuitry. 

12 . A system according to one or more of the 
preceding claims, characterised in that each user may 
have access, ^'on-demand" also only to portions of data of 
contents emitted in Broadcast, according to his interest, 
up to the graininess relating to the time portion placed 
in biunivocal correspondence with the key associated to 
the portion of contents itself. 

13 . A system according to one or more of the 
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preceding claims, characterised in that it allows the 
control of audience of a contents emitted in broadcast up 
to the detail of the portion of time based in biunivocal 
with the key associated to the portion of contents 
5 itself. 

14. A ^^on-line" system for conditional access and 
audience control for communication services of the 
broadcast and multicast kind according to one or more of 
the preceding claims and substantially as shown and 
10 disclosed with reference to the figure of the attached 
drawings . 
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